Ssl-redirect not working?

kallisti5 · December 2, 2019, 5:07pm

Trying to use the Kubernetes annotation "ingress.kubernetes.io/ssl-redirect: "true"" which has become the standard for forced https redirects.

I'm finding documentation of it working on v1.7, but on v2.x it doesn't seem to be working. What's going on?

Ingress:

---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: jira-ingress-lb
  namespace: jira
  annotations:
    #kubernetes.io/ingress.class: "gce"
    #ingress.kubernetes.io/force-ssl-redirect: "true"
    kubernetes.io/ingress.class: "traefik"
    ingress.kubernetes.io/ssl-redirect: "true"

ldez · December 2, 2019, 7:41pm

Hello,

in v2, the annotations are not supported.

You have to use our IngressRoute: https://docs.traefik.io/v2.0/providers/kubernetes-crd/

kallisti5 · December 2, 2019, 7:43pm

Pass? I want my k8s manifests to work across Ingress Controllers. IngressRoute is a Traefik-only solution.

kubernetes-ingress seems to still ship with the product.

ldez · December 2, 2019, 7:45pm

The annotations are not supported with the v2.

The support of ingress is minimalist, you have to use IngressRoute if you want to access to all the features.

kallisti5 · December 2, 2019, 7:46pm

Will v1.x be supported indefinitely? There's literally no way i'm going to switch to that across all the places i've used Traefik.

ldez · December 2, 2019, 7:48pm

no, the v1 will be supported for ~1 year.

ldez · December 2, 2019, 7:49pm

You can use the migration tool: https://github.com/containous/traefik-migration-tool

Also you can read the migration guide: https://docs.traefik.io/v2.0/migration/v1-to-v2/

Note that the ingress are still supported, only the standard spec, so without annotations.

kallisti5 · December 2, 2019, 7:55pm

Nah. I liked Traefik on Docker Compose (and Traefik on k8s) over the last few years due to the simplicity.

Traefik on k8s made sense because it was "generic". I could write an Ingress and be able to change Ingress Controllers without rewriting "1,000's of lines of YAML". Why would I invest time changing all of our yaml to Traefik's custom ingress resource, when on a whim Traefik could "redo everything again" on v3??

On top of all of this, the new v2 documentation sucks and is hard to follow.

So nah. Switching to Envoy/nginx/anything else.

ldez · December 2, 2019, 8:00pm

Feel free to use the proxy you want.

You have to know that we are not alone to use custom CRD.
The current Ingress are in the end of life, Ingress are too limited, so as the other proxies we tried to enhance the routing configuration for k8s.

kallisti5 · December 2, 2019, 8:14pm

I'm posting this here just to vent and so you can understand some of the frustrations of someone who has been using Traefik v1 in production for a few years now. None of this is personal, and I appreciate everything the Traefik team has done.

What was the issue just using annotations for configuration beyond the base Ingress specification for v2, introducing kubernetes-crd as an option people could migrate to?

If IngressRoute was proposed to k8s, you could use it as a trial in v2, and we could continue with kubernetes-ingress I wouldn't be here. It's frustrating that every time it feels like we're at a point of consensus, everyone throws their hands up and starts over from scratch with no easy transition path.

This really isn't how any kind of "enterprise ready (aka traefik-ee)" software functions. Look at the threads on Slack in #support and the threads here, it's the exact same sentiment over and over. The most basic usage cases (redirecting to ssl, setting up ACME, simple redirects, etc) not functioning in v2, people not being able to figure out what changed in v2 due to the new docs, and people either "redoing everything" or getting frustrated and going silent.

ldez · December 2, 2019, 8:29pm

The migration tool is able to migrate 90% of the v1 Ingress to IngressRoute.

The users that don't have problem don't come to the support. So yes in the support you will see users who need help.

We have not "redoing everything".

To be able to add new features that are highly requested by users, (like TCP, middlewares, mirroring, canary, ...) we changed some pieces to be more flexible.

We rename frontend to router, backend to service.

But yes Traefik v2 contains changes, but changes are required, we have to follow the life of the eco-system.

kallisti5 · December 2, 2019, 8:33pm

That's my work refactoring Traefik v1 for v2. 90% of the lines related to Traefik are modified thus me using the language "everything"

ldez · January 18, 2020, 5:31pm

FYI we added annotations for Ingress in the next release (v2.2):

And we still working on improvements (even for Ingress)

wrigtim · March 18, 2020, 2:59pm

We have also been big fans of traefik for some time (migrated from NGINX). Unfortunately in a larger organisation the deployments to the cluster are made by many different teams, and to migrate to V2 we will have to have every single team change their deployment mechanism to support the new CRDs.

Is it possible to add support back for ingress.kubernetes.io/ssl-redirect: "true" specifically? There's also some useful CORS annotations, but those we can likely workaround.

Jancis · December 3, 2020, 12:31pm

Same here - support for this annotation is the single missing piece for our migration to official traefik (2) chart.

Topic		Replies	Views
Traefik V2 not working on Ingress Traefik v2 kubernetes-ingress	17	6254	May 12, 2020
Traefik v2.1 Configuration for HTTPs support with Kubernetes Ingress Traefik v2 kubernetes-ingress	0	563	January 17, 2020
Traefik 1.7 Kubernetes Ingress Controller - redirection is not working? Traefik v2 kubernetes-ingress	0	318	February 12, 2021
Support of K8s Ingress object? Traefik v2 kubernetes-ingress	2	366	September 17, 2020
V2.2 doesn't create TLS / HTTP in Kubernetes Ingress (non CRD) Traefik v2 kubernetes-ingress	7	598	April 6, 2020

Ssl-redirect not working?

Related Topics